W3C home > Mailing lists > Public > www-talk@w3.org > January to February 1997

Re: errata for cookie spec

From: Matthew Rubenstein <ruby@name.net>
Date: Fri, 07 Feb 1997 10:03:27 -0500
Message-Id: <2.2.32.19970207150327.008c9f24@mail.name.net>
To: Jeremey Barrett <jeremey@veriweb.com>
Cc: koen@win.tue.nl, www-talk@w3.org
At 01:23 AM 2/7/97 -0800, Jeremey Barrett wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>> Matthew Rubenstein:
>> [...]
>> >        Domains' cookies should be partitioned from one another. However,
>> >preventing a domain from sending its cookie to another domain's server for
>> >parsing only forces the sender to use out-of-band communication between
>> >servers - higher cost, especially in syncing the timing with the user's
>> >navigation between the servers.
>> 
>> This higher cost and difficulty of syncing is not a bug, it is a feature!
>> And this syncing is going to get more difficult still when we get country
>> level proxies.
>> 
>> Servers have no business sharing information without the user's consent, and
>> I therefore see not reason why sharing information in a sneaky way should be
>> particularly cheap or easy.  If they want to share, let them embed the info
>> in a link where the user can see it.

>Exactly. The user-agent is the _user_ _agent_. Not the server agent.
>Obviously the user-agent needs to give _some_ information to servers,
>else they could not function. Cookies provide this. But the user-agent
>should serve the interests of the user, and they are _not_ served by
>allowing hidden tracking of users across sites. I can think of _no_
>other application of the "container document from site A containing img 
>sent out by a CGI from site B which also happens to set/retrieve cookies"
>scheme. If one does arise, well the behavior should be configurable.

>> Servers have no business sharing information without the user's consent,

        Sharing info about customers is a VERY BIG business. The entire
marketing industry consists of this practice, and marketing professionals
provide the funds for the preeminent commercial sites - this trend will only
become more exaggerated. Commercial sites are certain to overcome this tech
limit by spending money on interdomain communication of client state history.

        Saatchi & Saatchi will deliver value both to users and to
Colgate-Palmolive by reporting users' hygiene habits learned at the
toothpaste site to their Irish Spring soap site for cross-promotion. In the
our modern era, Colgate-Palmolive will likely send the info to Proctor and
Gamble for the same highly profitable reason. "Interdomain communication of
client state" between corporate entities is a hallmark of modern commerce.
The irony is that the Internet is not only driving the consumer centered
expression of this practice, it has become its most common symbol. And it
looks like the HTTP-WG wants to raise the costs (which get passed on to us)
of these techniques.

        The only parties that will actually be prevented from sharing info
this way are those who have neither time nor money to deploy the
communication. My sister sets up a Tibetan resources site. Her university
sets up a Chinese politics watch. She wants her users to be able to receive
mass-customized material as offered by the university in response to their
history. She can insert a dozen 4K long URLs into the link to the relevant
page to ensure that users who have been sensitized to the "privacy invasion"
by cookies are served quickly and completely. Her roommate must match
Unilever's budgets to share Bronte site user info with an associate's Eliot
site.

        If this is a good solution, what are we wasting our time on cookies
for, anyway? Just as a user can view the source of the page and trim the
state data out of the URL, the user can view their cookie file and delete
the cookie. Cookies make a complex technique, that experience has shown is
useful, part of the baseline functionality for developers. Why cripple it
superfluously?

 
>> >Matthew Rubenstein                     North American Media Engines

>> Koen.

>Jeremey Barrett                                  VeriWeb Internet Corp.
--
Matthew Rubenstein                     North American Media Engines
Toronto, Ontario   *finger matt for public key*       (416)943-1010

               They also surf who only stand on waves.
Received on Friday, 7 February 1997 10:15:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:22 GMT